MELISSA: Towards Automated Detection of Undesirable User Actions in Critical Infrastructures

We address the detection of process-related threats in control systems used in critical infrastructures. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the industrial process. We use logs to detect anomalous patterns of user actions on process control application. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.

[1]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[2]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[3]  ManganarisStefanos,et al.  A data mining analysis of RTID alarms , 2000 .

[4]  Joseph L. Hellerstein,et al.  Discovering actionable patterns in event data , 2002, IBM Syst. J..

[5]  Mark Burgess,et al.  Principle Components and Importance Ranking of Distributed Anomalies , 2005, Machine Learning.

[6]  Ning Lu,et al.  Safeguarding SCADA Systems with Anomaly Detection , 2003, MMM-ACNS.

[7]  C. Bellettini,et al.  Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[8]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[9]  Aunshul Rege‐Patwardhan Cybercrimes against critical infrastructures: a study of online criminal organization and techniques , 2009 .

[10]  Giordano Vicoli,et al.  Novelty detection and management to safeguard information-intensive critical infrastructures , 2007 .

[11]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[12]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[13]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[14]  Jill Slay,et al.  Lessons Learned from the Maroochy Water Breach , 2007, Critical Infrastructure Protection.

[15]  Gösta Grahne,et al.  Fast algorithms for frequent itemset mining using FP-trees , 2005, IEEE Transactions on Knowledge and Data Engineering.

[16]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[17]  Tom Brijs,et al.  Profiling high frequency accident locations using associations rules , 2002 .